I couldn't help but notice that their estimate of a million names on watch lists, around 1 of every 300 people in this country. That sounds about right for the number of people who are vocal in their opposition to this surveillance society they're building. How else could there be that many threats? Threats to what? No one wanted to believe it a few years ago. We were all paranoid. It's only a matter of time that this will "integrated" with law enforcement, national, state, and local, so that dissidents, etc, "those who are threats" can be picked up on a moments notice.

No matter how fast their encryption busting computers get, they have a limit. IMO, a proper response to this and their intercepting everyone's communication in general is to overload it. An application that integrates with encryption software comes to mind. It would generate random keys, use them to encrypt gibberish, and send it via e-mail, IM, IRC, etc to another, which would do the same. If done on a larger scale, it would become impossible to determine which encrypted traffic is real communications and which are there for them to waste computing power on.

It's only a matter of time that this will "integrated" with law enforcement, national, state, and local, so that dissidents, etc, "those who are threats" can be picked up on a moments notice.

Click to expand...

Not a matter of time, its already been done. Here is an updated view of were law enforment is heading at the moment. There is talk about using them as communication interceptors or crowd control devices as well.

I couldn't help but notice that their estimate of a million names on watch lists, around 1 of every 300 people in this country. That sounds about right for the number of people who are vocal in their opposition to this surveillance society they're building. How else could there be that many threats? Threats to what? No one wanted to believe it a few years ago. We were all paranoid. It's only a matter of time that this will "integrated" with law enforcement, national, state, and local, so that dissidents, etc, "those who are threats" can be picked up on a moments notice.

No matter how fast their encryption busting computers get, they have a limit. IMO, a proper response to this and their intercepting everyone's communication in general is to overload it. An application that integrates with encryption software comes to mind. It would generate random keys, use them to encrypt gibberish, and send it via e-mail, IM, IRC, etc to another, which would do the same. If done on a larger scale, it would become impossible to determine which encrypted traffic is real communications and which are there for them to waste computing power on.

Click to expand...

The thing is, many folks who use the "it'll take them literally forever to break such and such encryption" defense, are under the assumption that the same super computers and same technology is still being used. There are only so many encryption methods to choose from (that are known about publicly at least and are available), and several are already broken, as the article makes clear.

Meanwhile, back at Darpa and the NSA, very few know what they have and don't have, and those few generally don't talk a lot. They're a persistent bunch, and they have the brightest minds working for them, especially in cryptology. And, EncryptedBytes is right, we're already at that point. We should also (in the States) be worried about the upcoming "ISP police".

What makes that bad is not so much that ISPs will be watching, they always have been able to. What is bad is that this upcoming program is not a government program and will not have government oversight. This is an open door for agencies like the NSA to install those monitoring rooms used at AT&T and other telecommunications companies, at every U.S ISP.

The best defense against cracking encryption is to just move to stronger encryption. No one is cracking AES 256 without a flaw in the encryption being found. Bruteforcing pbkdf2 keys with AES ciphers of any length over even 8 characters would take a supercomputer hundreds of thosuands of years(edit: actually cross that, let's call that hundreds of millions.) You give it 16 characters and no technology, present or in the foreseeable future will be able to touch it - it would take less energy to make the entire water content of the planet to boil and it would still take hundreds of billions of years.

No need for garbage data or tactics. It's a matter of bringing the awful RSA system up to date. SSL data + Quantum Computer = crap. QC's are great for that kind of calculation (calculating NP Primes whatnot.)

edit: Not that this addresses the million other issues with like... everything in the world. Though universal SSL would be nice.

The best defense against cracking encryption is to just move to stronger encryption. No one is cracking AES 256 without a flaw in the encryption being found. Bruteforcing pbkdf2 keys with AES ciphers of any length over even 8 characters would take a supercomputer hundreds of thosuands of years(edit: actually cross that, let's call that hundreds of millions.) You give it 16 characters and no technology, present or in the foreseeable future will be able to touch it - it would take less energy to make the entire water content of the planet to boil and it would still take hundreds of billions of years.

No need for garbage data or tactics. It's a matter of bringing the awful RSA system up to date. SSL data + Quantum Computer = crap. QC's are great for that kind of calculation.

Click to expand...

Again, assumptions on what kind of supercomputer is in use. Besides, they don't need to break anything, all the data is already being watched, and it would take absolutely nothing to for a few laws to be put in place to prevent you outsmarting them anyway. You're no longer dealing with a "reasonable" government, as should already be quite obvious.

No, the assumption goes by energy and takes into account plausible future technology that would both increase power and efficiency.

Besides, they don't need to break anything, all the data is already being watched,

Click to expand...

They do have to break it. How else can they watch it? If everything were SSL the Government would need control over the server or your computer - that's a whole other story. Even if they had control over the ISP and DNS it wouldn't matter with a strong "universal" SSL.

You're no longer dealing with a "reasonable" government, as should already be quite obvious.

Click to expand...

We haven't been dealing with a reasonable government in nearly 100 years.

No need for garbage data or tactics. It's a matter of bringing the awful RSA system up to date. SSL data + Quantum Computer = crap. QC's are great for that kind of calculation (calculating NP Primes whatnot.)

Click to expand...

I disagree. It's the difference between being passive, which includes waiting for someone to release stronger encryption, and responding in a legal fashion with a statement that says, "This is not acceptable." There is no way I'd say that they can't crack strong encryption. They might not be able to brute force it, but they could well have other methods that shortcut the process, but still requires a lot of processing power. What is described in that article points to that being the case. Make them waste that power by giving them more to crack than they can possibly handle in a way that violates no laws. If they try to pass a law against such behavior, they'd be admitting to accessing everyone's secure data, which would not go over well at all.

Encryption that the NSA isn't able to crack (AES) is already available. The problem is that it's symmetric and not asymmetric and therefor can't be used for SSL.

Strong SSL already exists, TLS 1.2. It's just not widely used.

There is no way I'd say that they can't crack strong encryption. They might not be able to brute force it, but they could well have other methods that shortcut the process, but still requires a lot of processing power.

Click to expand...

It doesn't really matter. They can't. They can try to find flaws in it but that's not exactly easy, people are still trying to find flaws in MD5. AES128 and 256 are government standard - the NSA uses it because they know it's not cracked yet.

Are there flaws? Maybe. They aren't known though, definitely not by the govt. since that is in fact what they use themselves.

I disagree. It's the difference between being passive, which includes waiting for someone to release stronger encryption, and responding in a legal fashion with a statement that says, "This is not acceptable." There is no way I'd say that they can't crack strong encryption. They might not be able to brute force it, but they could well have other methods that shortcut the process, but still requires a lot of processing power. What is described in that article points to that being the case. Make them waste that power by giving them more to crack than they can possibly handle in a way that violates no laws. If they try to pass a law against such behavior, they'd be admitting to accessing everyone's secure data, which would not go over well at all.

Click to expand...

And if it didn't go over well? They don't care, they have the right people in the right places, and anyone who questions them gets bypassed (Congress in this case). Also, brute force isn't the only way, and it's the last method they'd use. The NSA is bound by less laws than the CIA even is, so violating existing laws isn't an issue.

@Hungry: You're asking for the net to be rebuilt, basically. You don't control your ISP, you don't control the cell towers, you can't encrypt and protect everything. Remember that whole security mindset in another topic we were discussing? About assuming a hacker was already in your network? Same thing applies here, except there is far more evidence pointing to the government already watching.

You can change what you do, you can't change the way the rest of the world and the net operates. Therefore, there will always be a weakness in your idea.

You're missing or avoiding one point and whitewashing the other. They wouldn't be doing this if it was impossible. That said, whether they can or will be able to is only part of the issue. Not responding to their trying to decrypt everyone's private communication is tantamount to saying "that's fine". I don't accept the nothing to hide rhetoric. It's way past time for people to respond.

And if it didn't go over well? They don't care, they have the right people in the right places, and anyone who questions them gets bypassed (Congress in this case). Also, brute force isn't the only way, and it's the last method they'd use. The NSA is bound by less laws than the CIA even is, so violating existing laws isn't an issue.

Click to expand...

Maybe "they" won't care, but how will most people react when it's clear that every word they say, hear and send is monitored? This is Nazi Germany all over again with a high tech twist. Unfortunately, we're well on the way to the same outcome. It's one thing to detain 10 or 100 dissidents. What happens when it's 10,000 or a million, when everyone knows someone who is being detained? There has to be a tipping point. If there isn't, then this is a nation of sheep that deserves what they get.

You're missing or avoiding one point and whitewashing the other. They wouldn't be doing this if it was impossible. That said, whether they can or will be able to is only part of the issue. Not responding to their trying to decrypt everyone's private communication is tantamount to saying "that's fine". I don't accept the nothing to hide rhetoric. It's way past time for people to respond.

Click to expand...

I wonder if thought has been put into the amount of servers and other things that will be in this building when shooting down possibilities? Has thought been put into the fact that this building will be used for not only storing data, but breaking its encryption? Do you honestly think that if they believed in the "hundreds of thousands of years" line of thinking they would bother? The government as a whole is stupid, individual agencies are not.

I too laugh at "I have nothing to hide" arguments. It's not about having or not having things to hide. The NSA has the least amount of oversight of the intelligence agencies, and the most amount of money to work with. That makes them a big, big problem.

Maybe "they" won't care, but how will most people react when it's clear that every word they say, hear and send is monitored? This is Nazi Germany all over again with a high tech twist. Unfortunately, we're well on the way to the same outcome. It's one thing to detain 10 or 100 dissidents. What happens when it's 10,000 or a million, when everyone knows someone who is being detained? There has to be a tipping point. If there isn't, then this is a nation of sheep that deserves what they get.

Click to expand...

I'll ask you a question in return: How have people reacted so far to what they already know has been happening? Sure, you get the splinter groups causing a temporary "uproar", but you don't get massive protests. Those splinter groups are also quickly shot down by making them appear to be the enemies and shutting them up via "national security" arguments.

Can it all be stopped? Well, no, not really. But it can be delayed, if and only if the masses come together. You can't have the least powerful groups stand outside the White House holding up signs. You need people with clout standing alongside those masses.

@Hungry: You're asking for the net to be rebuilt, basically. You don't control your ISP, you don't control the cell towers, you can't encrypt and protect everything. Remember that whole security mindset in another topic we were discussing? About assuming a hacker was already in your network? Same thing applies here, except there is far more evidence pointing to the government already watching.

Click to expand...

Not really. The ISP is irrelevant. DNSCrypt/SEC are already being worked on and it's not really related to ISPs.

Wilders provides SSL and it has nothing to do with ISPs.

The only thing that would have to change is the method used ie: generating primes. That's not a future-proof encryption with quantum computing coming.

At that point the NSA would have to start taking control of servers, which they could do, but servers could remove logs. That's what 4chan does.

EDIT: I do agree taht the gov't is already watching though. But they can only watch from specific areas. Unless they start going directly to the servers or directly to my computer SSL is enough to stop them.

I'll ask you a question in return: How have people reacted so far to what they already know has been happening?

Click to expand...

About half don't want to believe it or choose to believe all the anti-terrorism or anti porn rhetoric. The majority of the rest voice their dislike, then either say there's nothing we can do, or they do back to all the usual distractions.

Can it all be stopped? Well, no, not really. But it can be delayed, if and only if the masses come together. You can't have the least powerful groups stand outside the White House holding up signs. You need people with clout standing alongside those masses.

Click to expand...

If that attitude were prevalent 200+ years ago, we'd still be a British colony serving a monarchy. We'd still have racial based slavery. No one with any clout will stand up unless they have a lot of people behind them either. It either has to start somewhere or we just say this is acceptable and go back to a total class system, the filthy rich and the rest of us virtual slaves to them.

You're missing or avoiding one point and whitewashing the other. They wouldn't be doing this if it was impossible. That said, whether they can or will be able to is only part of the issue. Not responding to their trying to decrypt everyone's private communication is tantamount to saying "that's fine". I don't accept the nothing to hide rhetoric. It's way past time for people to respond.

Click to expand...

I'm not saying there's nothing to hide. The reason they're doing this is because so much traffic is not encrypted or uses weak encryption.

I'm not saying there's nothing to hide. The reason they're doing this is because so much traffic is not encrypted or uses weak encryption.

Click to expand...

And, again, the new premises will have a good percentage of its operations devoted to breaking encryption and code. And, yes, you will have to rebuild the net to take care of its fundamental flaws. Of course you can be well assured that even a rebuild will have some "doors" built in.

@Noone: 200 years ago there was an entirely different attitude period. If they saw 200 years ago what we do now, they'd board their ships and sail right back to Britain. I hate to tell you this, but you all but are back in a total class system. Back to the NSA though. Hungry, your ideas are fine, but you have to get everyone on board. It can't be you and a handful of other people, and a big enough percentage of people either do not care or have to much to lose by doing it. We have no idea what will go on in that building, and we have no idea what already is going on in the many other buildings they use.

We can go by what this particular article is saying, and that article alone is not good news, even if it's merely confirming what was already assumed and feared.

1) That's not how math works - you would have to generate a separate key and blah blah blah it wouldn't be subtle at all
2) The NSA relies on encryption to not be crackable. If there were a backdoor in an encryption method it would put their work at risk.

No, you don't have to rebuild the net. Servers just have to upgrade their TLS or make use of a different cipher (Wilders does this, again, without cooperation or intervention from the ISP.)

That's assuming they haven't already worked on or aren't working on an entirely new different encryption. Look I'm not saying E.T beamed down and handed them some deep space tech, but they most certainly are more capable than even the best of us can likely guess.

Nothing about the current state of government activities is "subtle", except for what they don't want known.

The best defense against cracking encryption is to just move to stronger encryption. No one is cracking AES 256 without a flaw in the encryption being found. Bruteforcing pbkdf2 keys with AES ciphers of any length over even 8 characters would take a supercomputer hundreds of thosuands of years(edit: actually cross that, let's call that hundreds of millions.) You give it 16 characters and no technology, present or in the foreseeable future will be able to touch it - it would take less energy to make the entire water content of the planet to boil and it would still take hundreds of billions of years.

Click to expand...

This pretty much sums up my views on this whole situation. I am still surprised at why people are shocked by this though, as more entities especially those of U.S. national interest continue to deploy stronger encryption methods you bet there will be mandates to decrypt them. (This goes for most nations) Technology is a constant battle in and of itself. This new drag net is targeting still weaker forms of encryption if it does prove effective, then it will be time to update your set up. Start using AES-256, and for PKI impliment ECC-224, 256, 384, and 521 etc.

And yes I know it will be a long time before commercial internet sectors start really switching their public key cryptography methods to ECC, but one can dream.

Potentially they could have cracked AES and are now using their own hidden method or working on a new one. I don't think this is very likely. There are other methods of encryption as it stands, AES is just great because it's really fast and not weak. They could use the other methods if there were holes... but they don't.

They could also supplement AES with other methods (Truecrypt allows this) but they don't.

They use AES because it's fast and it works and they know that. It is in their best interests to use the best encryption method.

Potentially they could have cracked AES and are now using their own hidden method or working on a new one. I don't think this is very likely. There are other methods of encryption as it stands, AES is just great because it's really fast and not weak. They could use the other methods if there were holes... but they don't.

They could also supplement AES with other methods (Truecrypt allows this) but they don't.

They use AES because it's fast and it works and they know that. It is in their best interests to use the best encryption method.

Click to expand...

I don't think it's safe to say they do or don't do something, as neither of us are in the NSA (I'll assume you aren't, hehe). Just because AES is listed in various places as their encryption of choice, doesn't make it the only one they use. I personally think it's quite likely they have developed or are developing a new method.

To steer it back towards the main topic though, if they are building their own super systems in house specifically for the purpose of breaking current methods of encryption, that says quite a bit. Again, they have very little oversight, and lots and lots of money being sent to them every year (more than the military and other agencies for certain), so they could be up to a lot and nobody outside of them and a few within the Administration is going to know about it.

Darpa is where you do the research to see if something is possible. If the NSA is putting as much effort into this new building as said, and are going to use it for the purposes stated, then they know something. There are a lot of things that weren't possible even 10 years ago, but they sure are now. I believe in math too, but funding and effort is what usually holds back progress, not math.

Just because AES is listed in various places as their encryption of choice, doesn't make it the only one they use. I personally think it's quite likely they have developed or are developing a new method.

Click to expand...

No its obviously not the only form of encryption used as symmetric algorithms can only get you so far. That being said I do feel you are over analyzing the situation. What good would it be to collaborate with many inter agencies, private sector organizations, etc establishing encryption standards only to backdoor those very standards which are put in place in many vital areas of the nation? Additionally which also is the NSA's primary duty to protect? Knowing a way to backdoor everything also means your adversary given enough time will also find that backdoor. The Rijndael variant used in AES has been around and hammered globally well over a decade now. The only noticeable vulnerabilities are in the number of rounds currently in the standard may need to be updated, or non practical related-key attacks... though the cipher itself is fine and no reason to switch anytime soon.

dw426 said:

To steer it back towards the main topic though, if they are building their own super systems in house...so they could be up to a lot and nobody outside of them and a few within the Administration is going to know about it.

Click to expand...

Intelligence agencies do not control government officials, their primary purpose is to advise decision and policy makers, who in turn can ignore their intelligence completely. The point is the NSA can't go rouge, congress, and other areas of government are well aware of what is going on, someone needs to give them the green light at the end of the day.

dw426 said:

Darpa is where you do the research to see if something is possible. If the NSA is putting as much effort into this new building as said, and are going to use it for the purposes stated, then they know something.